>> Welcome folks. may name is bart, I will be talking about the legacy or the AS400.  IBM system whatever you call it the guys at IBM get nice bonuses for changing the names every few years.  I will call it AS4 hundred.  Short introduction, I'm google able so you can check my twitter and Polish national living in the Netherlands and what I present here is my personal views and not always or necessarily -- so why should we care about legacy or AS4 hundred?  It is legacy which is hard to get rid of if you work in a in institution you will see a lot of customer data, a lot of old programs and it is very difficult with all the history and for example if you have insurance policies or bank accounts very difficult to migrate to new environments so what you see often is that you have knew shiny front end a back end you have still mainframe systems running because just good for what they do.  So many times we do care about the front end but not the back end and that leads to situation that back ends are somewhat less secure than the front end.  Still to my surprise the systems are accessible while even by internet SM2P servers or if you go tore tailer you can see a 50 to 50 screen and you can find them every where.  I mean all banks, insurance if you google that you will find a lot of as 400 systems and there was a great talk back in 2006 by -- talking about security system but not touch has change from the IBM perspective.  They are still say -- they are still like this 90s mentality we have a green screen and it is secure enough.  There is not too much new things from IBM.  There is some patching but I will say not too much from my perspective.  So if you want to start your -- well, some joy with as 400 you can buy one.  I recently bought one for just 60 bucks on E-bay.  I could not find a cheap one now but every now and then you can find a cheap AS4 hundred system so start or you can just hack one.  If you go to Sheldon I you will find a lot of systems open.  Just example from last week, I would say about get access to Italian coffee maker which was just fully exposed to the internet for default spas so you could log in and enjoy the system.  They just put it on the web and forget it.  So going to security of these systems, there was a talk from (indiscernible) about the 50 to 50 security, I want to talk about something else.  I want to focus on Java.  Why because, it comes together with AS4 hundred access and gives you pretty much a lot of access to the system and if you look at the IBM toking box for Java allows for remote system IMI calls or use of comments so you can compile your programs in Java externally you don't have to write your programs in CO or RPG so you can.  It bypasses 50/50 limitations so gets access to the common lines and by a passes the navigation restriction so if you have set up navigator so the user cannot download files or access LDBS you can bypass with your own Java functions.  And gives you flexible of working with AS4 hundred outside of system so no need to access development tools on the box itself.  If you decompile the JT400 given by IBM it is generally poorly written it is inconsistent.  So sometimes they just use CLCL in the background.  So I found that I had to write my own functions.  So I encourage you to decompile.  I will give you a short demo about the visibility.  So first we are going to connect to the system so that user does not have access to the comments.  I have four profiles on the system.  That one has signed off is you cannot log in.  Administrator I have talked to say if you sign off you cannot connect directly into the system.  Bullshit.  So this one gives you already more rights.  We have access to comment lines that is all the profiles that I can see with that system, with that user profile.  I will also go to -- so these are library that we can see.  It mostly the system libraries.  So let's switch to Java tool.  This takes a while.  So when we go to work with objects and we want the see all objects uses and the user profiles.  You can see more profiles 50/50 so Java handles the authorization in a different way but you are not authorized (indiscernible) you can enumerate for the use.  You will see there are some additional libraries which were not vise able.  So as you can see the difference in authorization handling between Jay and 50 to 50.  If connect with -- (lost audio) -- so don't believe your administrator if they say sign off you cannot use the (indiscernible).  That is only visible but we want to do something more.  We want to escalate the privileges and say in the old times you have to have a program -- or you have to use the AMI and still compile on the system to be able to (indiscernible) the thing is that, if you use group profiles which is difficult for every larger application, we have like one common profile which is used for all the business accounts so to say and many times you add privileges by adding group profiles.  I have seen these in both business applications and banking and insurance applications and many times you see the ownership for the user is set to group profile.  For one reason, you don't want to have a situation if one user leaves and the account is deleted that is lot of problems so sometimes you see a default is set up and the ownership is set up in the group profile.  So if you use that set up and you have a lot of users, it is likely that you will have some administrator users and you will have some users that switch between departments and they might have some extra rights that you would not expect and it is also likely that you not (indiscernible) it is quite challenging to monitor and again using Java there is no need to write and compile problems with the AS4 hundred so can use the profile handle IMIs, grab the profile handle and repeat.  We have one common group which the Def con23 and one group for hot chicks and we have bots which are the administrator on the system.  So what we're going to do -- we also have hot chicks S69 which is not administrator.   (indiscernible) so let's try escalate the privileges and I like one click solutions so I made some extra implementation.  So let me log in chick perhaps to show the -- just to show you there is no fake authorities here.  That is hot chick -- no special authorities and hot chick profiles cannot create any other profiles so the just add in with any of the hot chicks three, user profile.  I will get the error message.  So let's log in with the same chick L3.  We can connect again.  Let's generate the list that we can see.  Let me switch to hot chick 69.  So I just click and hot chick 69 and as you can see I escalated privileges so if I go now the system um -- let me escalate from hot chicks 69 or let me generate the user list so I have access to much longer list of users.  So let's click once again and we escalated user offer.  Can you see the whole screen now?  Now?  So I just run a comment and now using the offer I created the user profile.  You can see there is one button on the right side.  So if I get back to system you can see the new created system user profile.  So that is something knew with Java.  You don't have extra problem.  All right.  What is also interesting I don't have a demo for that but you can try on your systems by the way, this already available online at the end of the presentation will be a link and you can find a link to where the tool link is and up load it.  I will make some updates in the coming weeks but you can contact me if you have questions.  For part two (indiscernible) using Java gives you a lot of possible options.  You can run CL comments or queries you can run system C MI and you can combine all of those.  So many times what you see is you use commercial programs to block access to RBC using exit points or you use your own exit points.  Usually, there is a lot of focus for external connections.  But if you connect by Java and if you try say run a query from a system it will not defect there is any outcoming -- because it will be rerouted internally from the system and then outside.  So in that way you can circumvent the RBC limitation connections.  I put here a small example that is query by Java so what you do is round the well-known comment (indiscernible) in that you go to (indiscernible) so you insert Q comment and inside that you do DB2 and then select and then you put R to get some out your principle device and the will connect to local host.  So will check is there external connection from host to DB2.  No, there is not only one log on host.  So go.  So that way you can (indiscernible) you circumvent the some of the exit points if they are poorly written.  And to be honest, I checked a number of exit points and or sorry exit program software and like (indiscernible) for example, if that is not for you and this program many times have some unknown vulnerabilities like the error case for example.  So I would say use the tools to try to necessary -- and dependent on what is protection you used for exit points you may be able to test whether you can circumvent the exit points.  Then the next -- and I think interesting part the security and hash grabbing and that is something I did not know before.  There is 1IPI offered by IBM called Q (indiscernible) to grab the hashes.   It is used for synchronizing hashes or spas between systems and basically using the API but also using from version six and common to dump user profile, you can get hashes from a particular user.  The output format that was me published and I talked to IBM and that say said IBM (indiscernible) nor do we plan to document output format.   Obviously.  So after a long exchange of e-mails from Rochester and there was no denial from their side to publish it, so no word on the whether they will fix it or change anything.  And if you go to API, depending on your spas level system value may be able to retrieve different hash words from the system.  If you look at security guide from IBM some how they still don't enforce password level (indiscernible) so password left zero, one, two you will still be able the get the dash or hashes or LM hashes.  So take the lesson and escalate the privileges first but then after words you can grab the hashes using the (indiscernible) basically, if you look at the IBM documentation they only state what you get is output is encrypted user password data.  That is it.  I looked closer into that format and what you can see is the first (indiscernible) 56 bits password substitute.  So you can look at RBC 2877 to see how it is created.  Then the third position is LM hash which is interesting for us.  And then there is bunch of other hashes.  So grab some hashes and we will try to do it now.  Let me just for the sake of time saving -- so let's generate the user list and say let's pick one profile.  Up with quick solution grab the hash.  See all the hashes I was talking about.  I cannot move the screen.  So what I can do is just move that to LM hash.  Just save it and I run my favorite 400.  So that is where the password is 2015 and we are locked.  I just finished a demo.  It 5:00 somewhere.  So again we talked to IBM on that and IBM was not reactive so I if there is any IBM representatives here perhaps you want to talk after the talk.  Okay.  So I also have some other research.  Focusing on the isolation.

>> Now, stop talking.  I'm kidding.  Go back.  You guys know the drill what are we going to do.  This is called shop a new.  It is tough to be a speak at Def Con listen anyway we want to thank you for making it and as a speaker and we have our little tradition.  So to Def Con.  (CLAPPING) when I came in here he did not have a accent.  

>> My accent it getting better with every shot.  So I still have some research going on and look caps standing at -- there is some changes inversion seven basically IBM decided to put the GVM elsewhere.  Still I run some test with the same tools on version release and I can see the same box.  So there is not too much lesson learned on the Java isolation so I still want to look at inside and at the moment I am analyzing the server site of DVM to look whether there is still possibility to get more access to the system.  What I also created is a common shelf for AS4 00 so if you happen to have un-security web sphere you can up load that file and you will get comment line allowing you for running some comments on AS4 00 and creating and account and I am doing some work in MI security and so isolation between the more virtual part of the system and the hardware layer.  The last three versus 50 to 50LTP and sometimes I am testing environments that behind a firewall.  So you only get access to FTP which let's you run comments and other stuff so what I was thinking it would be handy to make 50/50 proxy.  So that is something I am working on and in a few months you will see some tool links on the website.  Just short summary.  Fifty/50 security measures don't trust them.  There is a lot of information on the hardening of say green screen.  You can also look at the book of Shaun (indiscernible) but don't trust these measures only.  Also look and Java and be sceptical for IBM reps they promote (indiscernible) so take it with common sense and have this presentation look at whether you need to improve your security measures.  And visit hack legacy.  I up loaded the tool.  You are free the change it.  The whole project is encode there had and I included it already compiled (indiscernible) so you can click and open and enjoy.  You can find me on twitter and you can also approach me by the hack legacy website.  And now it is time for questions.  Can you repeat the question?  The public authority is excluded?  I think that is group profile if you use the ownership, if you use one common profile and if you use -- I will just show you.  The question is what is object authority of profile I was swiping to.  So the problem is if you use the ownership for the profile as group profile, it will still have axis by the group from file and as long as you don't have exclude on the list to the profile object, you are not able to mitigate it.   It's not a emulator it is (indiscernible) the question was, whether I am running am emulator?  It is just (indiscernible) port forwarding to the Netherlands.  The question was whether Java is installed by default?  Yes.  If you install client access you get the JT400 you can use and the problem is all the tools used by the IBM so the alcohol client access pack is Java based so has to be enabled because other -- (lost audio) I write only Java.  If there are no other questions -- the question is what ports Java is using there is number of ports so refer to IBM website.  I don't know them by heart.  There are like three ports starting with 2000 depend on will you use SSL there are also different ports.  Question was if I found mitigation for those types of hacks it is difficult you have to have good object security with a lot of excludes, the u you have legacy environment with group profiles you should just limit access to the Java part because most of the time that user don't need access to regulator and dependent on whether you use I pH which requires extra ports for the sign on server or use external tooling like 50 to 50 you can limit the ports like 992 for secure connection.  I am available the whole conference, so if you have questions feel free to approach me.  I will be around here.  You can just sent me e-mail or twitter. just look up on the website, alright, thanks alot.  (CLAPPING)